IRS and FBI warn about business cyber scams that target COVID teleworkers
Friday, December 04, 2020
Among the many things COVID-19 has changed, possibly forever, is how and where we do our jobs. The work from home trend also has provided cyber criminals new ways to steal our identities and money — corporate cash, too — using telework security lapses and system flaws.
Yeah, workers still say this. However, there's a little less exultation in the announcement nowadays, what with many of us still working from home due to continuing coronavirus pandemic precautions.
Plus, COVID-19 means our prior welcome weekend happy hours now are via Zoom.
The work from home (WFH) shift also has created new scam and identity theft opportunities.
Now, instead of (or more likely, in addition to) focusing on company computer networks, crooks are going after all of us clicking away at computers in our makeshift home offices.
That's why on this final day of National Tax Security Awareness Week 2020, the fifth annual focus by the Internal Revenue Service and its Security Summit partners on ways to stop or at lease slow tax-related crime, attention is given to ways crooks target tax professionals' businesses and their relocated employees.
"We've made tremendous progress in the past five years, but we still have work to do," said IRS Commissioner Chuck Rettig in this latest alert on potential telework scams. "The coronavirus and the increase in teleworking creates new ways for these sophisticated cybercriminals to scam people out of their money or their sensitive tax and financial information."
FBI warns of new email scamming technique: The IRS isn't the only federal agency concerned about such business-related schemes. The Federal Bureau of Investigation recently issued an alert about cyber criminals taking advantage of email auto-forwarding to increase their chances of success in Business Email Compromise (BEC) attacks.
In usual business email scams, online crooks spoof, or mimic, a legitimate email address. That makes the recipient think it's coming from within the business or from a client. The scammer's message typically is a request for payment, which the crook says can be made via wire transfer or gift card.
As the COVID-19 pandemic prompted a mass shift to telework, it created an associated increase of web-based email applications, notes the FBI. With that change of work procedures, cyber crooks began exploiting a weakness in some systems.
They implement auto-forwarding rules on victims' web-based email clients to conceal their activities. The web-based clients' forwarding rules often do not sync with the desktop client, making it more difficult for corporate cyber security administrators to see and catch the changes.
This leaves the employee and all connected networks vulnerable to cyber criminals, said the FBI in its Nov. 25 Private Industry Notification of how cyber criminals are adjusting to changed work situations during COVID-19.
"Even after a financial institution or law enforcement contact warns a victimized business of a potential BEC, a system audit may not identify the updated email rules if it does not audit both applications, increasing the time a cyber criminal can retain email access and continue BEC activity," said the nation's top law enforcement agency.
Recent, costly BEC: Cyber criminals then capitalize on this reduced visibility to increase their BEC schemes' success rates, which already have been pretty productive for the bad guys. The FBI's Internet Crime Complaint Center (IC3) reported that BEC schemes in 2019 resulted in fraudulent payments of more than $1.7 billion worldwide.
The criminal cost of BEC using auto-forwarding email rules was evident in August. That's when cybercriminals used the technique to attack the recently upgraded web client of a U.S.-based medical equipment company.
After the criminals gained access to the network, they impersonated a known international vendor and ended up stealing $175,000.
In another version of the scam, the IC3 in 2019 saw an increase in the number of business email complaints related to the diversion of payroll funds.
"In this type of scheme, a company's human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period," the FBI said. The requested change then routes the employee’s paycheck to a criminal.
Stopping work-related cyber crime: The FBI's cyber crime experts recommend a variety of ways to reduce the likelihood of these scams. They include:
- being watchful for last-minute changes in established email account addresses,
- checking email addresses for slight changes that can make fraudulent addresses appear legitimate,
- enabling multifactor authentication for all email accounts and
- prohibiting automatic forwarding of email to external addresses.
Phishing scams still predominant: Recent BEC schemes essentially are a type of phishing, which remains a primary way that crooks try to get cash as well as individuals' personal and financial information.
Phishing emails generally have an urgent message, such as "your account password expired." They direct you to an official-looking link or attachment. But the link may take you to a fake site made to appear like a trusted source, where it requests your username and password.
In other cases, a scam email has a link or attachment that contains malware. It then secretly downloads software that tracks keystrokes and allows thieves to eventually steal the victim's passwords.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning about increased phishing scam activity.
The IRS often sees thieves posing as potential clients, trying to trick tax pros into opening an embedded link or attachment. Scams involving COVID-19 and the Economic Impact Payments also have been prevalent.
Tax protection suggestions: The IRS and Security Summit also offer what they have described as the Security Six measures to protect against cyber crimes, both in-office and where WFH employees are involved.
- Use anti-virus software and set it for automatic updates to keep your systems secure. This includes all digital products, computers and mobile phones.
- Use firewalls. Firewalls help shield computers from outside attacks but cannot protect systems in cases where users accidentally download malware, for example, from phishing email scams.
- Use multi-factor authentication to protect all online accounts, especially tax products, cloud software providers, email providers and social media.
- Back up sensitive files, especially client data, to secure external sources, such as external hard drive or cloud storage.
- Encrypt data. Tax professionals should consider drive encryption products for full-drive encryption. This will encrypt all data.
- Use a Virtual Private Network (VPN) product. As more practitioners work remotely during the pandemic, a VPN is critical for secure connections.
A quick note here. These online security recommendations are not just for tax professionals. They can protect individual taxpayers, too.
Importance of virtual private networks: In its final Security Awareness tip this year, the IRS and Security Summit stress the use of VPNs for WFH employees.
A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the internet and the company network. As teleworking or working from home continues during COVID-19, VPNs are critical to protecting and securing internet connections.
Failing to use VPNs can add risks to remote takeovers by cyberthieves, giving criminals access to the tax professional's entire office network simply by accessing an employee's remote internet.
Tax professionals should seek out cybersecurity experts whenever possible to help establish secure in-house and telework systems. You also can search online using the term "Best VPNs" to find a legitimate vendor. Also check out major technology sites, which often provide lists of top services.
The bottom line is that workplace security, whether the work is being done from an office or from employees' homes, always has been critical to protecting tax professionals, their taxpayer clients and Uncle Sam from tax ID theft. The security focus is even more vital during this global medical crisis when more people are in unfamiliar work environments.
Wherever you are, on or off the timeclock, stay safe, stay secure, stay vigilant.
You also might find these items of interest:
- Working from home: pros, cons and home office tax tip
- Working from home is an advantage that should be taxed, says report
- COVID-changed work patterns mean tax hassles, possible KC workers' refunds
|Coronavirus Caveat & More Information
In 2020, we're all dealing with extraordinary circumstances,
both in our daily lives and when it comes to our taxes.
The COVID-19 pandemic and efforts to reduce its transmission
and protect ourselves and our families means that,
for the most part, we're focusing on just getting through these trying days.
But life as we knew it before the coronavirus will return,
along with our mundane tax matters.
Here's hoping that happens soon!
In the meantime, you can find more on the virus and its effects on our taxes
by clicking Coronavirus (COVID-19) and Taxes.
You can follow this conversation by subscribing to the comment feed for this post.